Share this story

In recent months the state of California has stepped up its efforts to enforce the California Online Privacy Protection Act (COPPA). In December, Attorney General Kamala Harris made an example of Delta Airlines, which had ignored a letter warning the carrier that it was in violation of COPPA. The statute requires every app which collects data about California users (which, practically speaking, means every app) to conspicuously post a privacy policy disclosing what information is collected and how it will be used.

In a new report, Harris's office offers an official set of recommendations for mobile app developers. California urges app developers to "minimize surprises to users from unexpected privacy practices." In addition to posting a standard privacy policy, the state also recommends the use of "special notices" to alert users when an app might be using data in a way the user might not expect. For example, when an app needs the user's location, the user is typically alerted and given the opportunity to allow or block the application from getting the current location. The state recommends using similar notices when an app collects other sensitive information.

The 23-page report offers a wide variety of other recommendations. Most of them are directed at app developers, but there are also recommendations for the companies that operate app stores, advertising networks, and wireless networks. The state recommends that app developers limit data collection, limit data retention, and avoid using global device identifiers that could be correlated across apps.

The report also recommends using encryption to handle data, limiting access to personal user data by employees, and designating an employee to periodically review an app's privacy practices to ensure that the privacy policy remains up to date.

Finally, the state recommends making privacy policies easy to read and easy to understand. For example, the report suggests presenting privacy information in a "grid or 'nutrition label for privacy'" format that "displays your privacy practices by data type."

These seem like sensible suggestions. And for the most part that's all they are: suggestions. The state's authority to regulate mobile data practices flows from the provisions of the COPPA, which don't mention most of the recommendations in the AG's report. To comply with California law, all you have to do is write a privacy policy accurately describing your data practices and post it somewhere your users can easily find it. The law doesn't say anything about "special notices," minimizing collection of sensitive information, encryption, or most of the other topics covered by the report.

"The recommendations go beyond the law," Special Assistant Attorney General Travis LeBlanc acknowledged in a Wednesday interview. "The law sets the floor for what everyone needs to do."

But he said the state hoped to "move the discourse forward" by educating mobile developers about what state officials view as the best practices for mobile privacy. The report, he says, "walks them through in plain English what they need to think about in terms of privacy."

He said the state planned to follow-up the report with training sessions in the spring, which will be targeted at smaller developers that can't afford to hire full-time privacy experts to craft their privacy policies.

At the same time as it deploys the carrot of helpful advice, the state also plans to continue using the stick of stricter enforcement. LeBlanc told us that the state expected to file another lawsuit in the next month or two against a mobile app developer that had failed to comply with COPPA's requirement of a conspicuous privacy policy. And LeBlanc says that the next step will be to begin enforcing the substance of privacy policies: ensuring that what companies say in their privacy policies matches what they actually do with user data.

30 Reader Comments

The whole privacy thing is getting much too complicated for everyone. I think we need something similar to CC badges (Creative Commons) but for privacy. This way it would be easy for both developers and users to quickly understand what kind of privacy to expect from the various sites and apps that displayed the badge.

COPPA has become an "all expansive" tool for banning anyone under the age of 13. It's not an effective law for protecting children because it doesn't do what it was originally designed to do and restricts children from using websites.

I run and operate a popular anime and manga site and members under the age of 13 are also banned. I just don't want the headaches that come with COPPA. While I do my due diligence and ban anyone who harasses anyone on my community, which I think is up to each administrator on how to deal with problems like that but COPPA is simply being abused by government agencies as a means to further restrict anyone from using private websites.

The age check is more of an insurance for website owners, as its basically a ToS agreement, preventing them from being at fault if a under-age user incurs some form of malicious behavior.

I wouldn't mind seeing some sort of check system or a certification system to ensure that it meets privacy standards.Like having a website Veri-signed or something. Throw up a base set of rules and a basic statement that you comply with the minimum set by the gov't for no frills/barebone apps. Then if you want to be certified shell out a $50 fee or something to have a company review show that your app meets trusted standards. The only real problem is that updates are pushed so much. Either have to re-certify every time (which will just drive up app prices and the cost of certification) or honor system and have limited free check-ups quarterly or when big code re-writes occur, so you can ignore the small bug fix pushes. Either way more transparency so I don't have to dig through the app is better.

The Internet has change everything but the lawmakers are still thinking in the old fashion way. If a Californian visits Florida and decides to buy a car, would the care salesman be required to know Californian laws and disclose Californian-specific statement to him/her?

I am all for protecting the consumers, but this seems to be getting out of hand. What if every state chooses to have their own stringent privacy laws like California? Would all small-shop developers need to become familiar with these laws and design their site and app around them? And what if these are firms outside of the US? This type of laws are not practical. Developers/companies will be "breaking the laws" simply because they are mere humans and can't keep up.

Case in point, I recently hired an IP lawyer to do a privacy statement for our company. It costs us a bunch of money (small shop, small budget) that we had to spend. And I can tell you that even IP lawyers cannot keep up with these type of non-sense.

The whole privacy thing is getting much too complicated for everyone. I think we need something similar to CC badges (Creative Commons) but for privacy. This way it would be easy for both developers and users to quickly understand what kind of privacy to expect from the various sites and apps that displayed the badge.

I wouldn't mind seeing some sort of check system or a certification system to ensure that it meets privacy standards.Like having a website Veri-signed or something. Throw up a base set of rules and a basic statement that you comply with the minimum set by the gov't for no frills/barebone apps. Then if you want to be certified shell out a $50 fee or something to have a company review show that your app meets trusted standards.

The problem is these optional web certification systems, as they work now, are a joke. (I'm looking at *you* TrustE.) They rely on self-reporting, self-compliance and no meaningful checks or repercussions for lying, and exist solely to generate revenue for the certification authority.

I,as freelance developer, working with USA client on rather specific kind of mobile, can confirm that such recommendations ARE of issue and at least read by team and questions like 'is this part applies to us, and how we handle it' are being asked internally.

There is 'lawyer-style' privacy policy(about 5 screens) and there is also light, readable by regular users, one page version of it.

(as for COPPA, all compliance with it right now is just ticket in redmine saying 'If age enter on registration is under 13, just make it not possible for this user to actually use app', and of course mandatory words in ToS and Privacy Policy)

I'm still trying to figure out how California plans on enforcing this.

No one would be in violation of Interstate Commerce Laws.

They have no jurisdiction over anyone outside of their State borders and therefore cannot bring charges against any non-resident dev that has not broken any Federal Laws.

The ONLY people that are required to comply with California State Law are the Residents of California and any visitors inside the State borders.

And even then - visitors subject to California Laws are limited. Such as if I drive my car (registered in another starte) to visit friends or family that live in Calif and my car does not comply with their emissions standards - nothing they can do about it.

I am looking forward to California attempting to file criminal charges against non-residents. This is going to be fun.

Hate to disappoint the State of California - but no one is forcing any Calif. resident to download or purchase any Apps.

Just more worthless bureaucracy from CA. If one tenth of one percent of users pay any attention whatsoever to what is collected, I'd be surprised. Not to mention it can take a graduate degree to read and understand that stuff. That's how the companies get around the law in the first place.

Part of the problem is that there doesn't really seem to be a cost to collecting the data. And since it may have value, companies seem to want to just snarf up as much as they can. I'm not sure the current laws are the right approach, but I do feel that there needs to be some sort of cost associated with data collection. Since there isn't going to be any significant technical cost (quite the opposite as the cost of storage keeps dropping) the only way to impose a cost is really via legal means.

What I would actually prefer would be a law (which I think could be relatively simple) which required companies to provide users with copies of the data which relates to the user. The added implementation cost would discourage the needless data collection which happens today, and the reputation cost would prevent the collection of inappropriate data.

How arrogant is California to think that they can force their laws on citizens of other states let alone other countries?

It seems to me that this is really targeted at developers not users when it comes to regulations. Most of the privacy related concerns on the web center around companies based in California (Facbeook, Google, Apple, Twitter, etc). A state has the right to regulate businesses within it's jurisdiction, which, it turns out, California includes most of the major internet companies out there.

Also, regarding the age of 13 comments, are you sure you're referring to COPPA, not, well, COPPA (Child Online Privacy Protection Act)? Two different provisions that share the same name.

How arrogant is California to think that they can force their laws on citizens of other states let alone other countries?

It seems to me that this is really targeted at developers not users when it comes to regulations. Most of the privacy related concerns on the web center around companies based in California (Facbeook, Google, Apple, Twitter, etc). A state has the right to regulate businesses within it's jurisdiction, which, it turns out, California includes most of the major internet companies out there.

Also, regarding the age of 13 comments, are you sure you're referring to COPPA, not, well, COPPA (Child Online Privacy Protection Act)? Two different provisions that share the same name.

I'm aware that they're targeting developers. What you pointed out is great and all, but that would basically mean they only have the right to regulate APPLE, not the developers acting as sole proprietorships from other states or countries.

How arrogant is California to think that they can force their laws on citizens of other states let alone other countries?

It seems to me that this is really targeted at developers not users when it comes to regulations. Most of the privacy related concerns on the web center around companies based in California (Facbeook, Google, Apple, Twitter, etc). A state has the right to regulate businesses within it's jurisdiction, which, it turns out, California includes most of the major internet companies out there.

Also, regarding the age of 13 comments, are you sure you're referring to COPPA, not, well, COPPA (Child Online Privacy Protection Act)? Two different provisions that share the same name.

I'm aware that they're targeting developers. What you pointed out is great and all, but that would basically mean they only have the right to regulate APPLE, not the developers acting as sole proprietorships from other states or countries.

Yeah, that's correct. In order for California to regulate a company, that company must have an established presence in the state and I highly doubt this document tries to change that. It's just worth noting that the majority of internet companies targeting US customers have some sort of presence in California, therefore California has jurisdiction over them, so it can be easy to conflate "internet based companies with a presense in California" with "internet based companies target US customers" since there is such a large overlap.

Yeah, that's correct. In order for California to regulate a company, that company must have an established presence in the state and I highly doubt this document tries to change that. It's just worth noting that the majority of internet companies targeting US customers have some sort of presence in California, therefore California has jurisdiction over them, so it can be easy to conflate "internet based companies with a presense in California" with "internet based companies target US customers" since there is such a large overlap.

While many of the bigger Internet-based companies have some presence in California, I don't think they're the ones that people are concerned about. This applies to mobile app developers. That includes tons of small indie studios, as well as individual developers working in their spare time as a hobby.

"The statute requires every app which collects data about California users (which, practically speaking, means every app) to conspicuously post a privacy policy disclosing what information is collected and how it will be used."

This law is basically saying (as I understand it) that if some hobbyist developer in Germany creates an app and posts a link to it in this forum, and someone in California downloads it and sideloads it onto their mobile device, and it collects any data at all, the developer is legally required to provide a privacy policy that meets the California standards.

This is absolutely absurd from the perspective of jurisdiction. Imagine if every state and town started passing laws like this (and not just about apps and privacy policies, but about web sites and other online content). Imagine if other nations started passing laws like this. It would suddenly mean that you couldn't do anything on the web unless it was legal everywhere in the world.

People should only be required to obey the laws of the place where they are, or where they are initiating action. If I hack into a server in California, I'm initiating the action, so California laws could reasonably apply. If someone from California downloads my app, they are initiating the action, so California laws could apply to them, but not to me (unless I'm also in California).

If I create a website that offends someone's religious beliefs, and some theocracy on the other side of the world decides that such blasphemy is a capital offense, that doesn't mean they should be able to extradite me to their country and execute me just because someone there viewed my site. For the same reason, just because someone in California uses my app, that doesn't mean I should suddenly be subject to California laws.

Yeah, that's correct. In order for California to regulate a company, that company must have an established presence in the state and I highly doubt this document tries to change that. It's just worth noting that the majority of internet companies targeting US customers have some sort of presence in California, therefore California has jurisdiction over them, so it can be easy to conflate "internet based companies with a presense in California" with "internet based companies target US customers" since there is such a large overlap.

While many of the bigger Internet-based companies have some presence in California, I don't think they're the ones that people are concerned about. This applies to mobile app developers. That includes tons of small indie studios, as well as individual developers working in their spare time as a hobby.

"The statute requires every app which collects data about California users (which, practically speaking, means every app) to conspicuously post a privacy policy disclosing what information is collected and how it will be used."

This law is basically saying (as I understand it) that if some hobbyist developer in Germany creates an app and posts a link to it in this forum, and someone in California downloads it and sideloads it onto their mobile device, and it collects any data at all, the developer is legally required to provide a privacy policy that meets the California standards.

This is absolutely absurd from the perspective of jurisdiction. Imagine if every state and town started passing laws like this (and not just about apps and privacy policies, but about web sites and other online content). Imagine if other nations started passing laws like this. It would suddenly mean that you couldn't do anything on the web unless it was legal everywhere in the world.

People should only be required to obey the laws of the place where they are, or where they are initiating action. If I hack into a server in California, I'm initiating the action, so California laws could reasonably apply. If someone from California downloads my app, they are initiating the action, so California laws could apply to them, but not to me (unless I'm also in California).

If I create a website that offends someone's religious beliefs, and some theocracy on the other side of the world decides that such blasphemy is a capital offense, that doesn't mean they should be able to extradite me to their country and execute me just because someone there viewed my site. For the same reason, just because someone in California uses my app, that doesn't mean I should suddenly be subject to California laws.

-Kasoroth

It's certainly possible that the statute is poorly worded (it wouldn't be the first time poor legislation was created). If so, the courts will strike it down in due time, appropriately so IMO. I'm just skeptical that this is actually true since we are reading a summary of a document that touches on legislation but mostly contains non-binding recommendations. I could go read the original document to ascertain for certain whether or not this is the case, but I'm too lazy/busy

lets say I'm an "app developer" in anywhere but CA & make the next must have app, I stick it up on apple/google/MS's app store & set a price for my must have app. * some CA resident buys my app on their phone with a charge to their monthly mobile bill, the mobile provider takes a cut & pays apple/google/microsoft who take a cut & pay me somehow* possibility 2: Same as above, but substitute a credit card/paypal account linked to a credit/bank account for the mobile's monthly bill.

I'm not a lawyer, but from my limited knowledge of the law, the only parties responsible for complying with the CA law are the buyer, the mobile operator running in CA, & maybe MS/Apple/google simply because they like their phones being sold in CA. I'm not running a store in CA, maintaining a presence in CA, shipping to CA (or anyplace else). My involvement was simply "write app"> "give app to MS/Google/Apple and let them sell it for X">"collect money & potentially 'information' that might be as simple as webserver logs" CA has to realize this law is pretty silly.

Maybe I'm misunderstanding something, but when you write legislation isn't the juristiction implied? I'm not certain why everyone assumes because the law doesn't explictly say this is only valid for CA developers and companies with a presence in CA, that must mean they are going to try to use it against everyone. So far the companies that they have gone after are large companies which DO have a precense in CA, and are therefore subject to CA laws. It's the same as companies who have a physical presence in, say, Europe are similary liable to obey their data protection laws.

If and when they go after the small guy who lives in another state/country then that is the time to raise all hell. Until that point there doesn't seem to be any evidence of going beyond juristiction or even intent to go beyond it. I'm not sure I understand what all the freak out is about.

If I want to use a service at no financial cost to me, I expect to give something in return that the company values so that they can pay their bills and earn a profit. That is my data. That is the deal, I accept it.

And I certainly don't want to read pages of some legalize TOS nonsense that I'm just going to click accept anyways, as that's the only way I get to continue and use the app/service.

So what difference does it make, at the end of the day, what they put in the TOS? I mean, really, who cares? How does it actually affect your life? You know, IRL.

Personally, I'm thinking of making an app for people to volunteer more of their data in better detail, so companies don't have to resort to trying to mine it all and put the pieces together, so I don't get ads about pills or pairs of Depends I don't want to see to begin with. If I have to see ads, I'd rather see them about things I actually care about.

Years ago I was a Software Consultant in Oregon. California sent me a demand letter that I pay them 15% of all my income, regardless of where it was earned, and they would work out how much they would send back to me.

I actually laughed in the ignorant asses ear, declaring that if I did any work in California, from now on my price was going to be $1. I suggested that he leave his contact information with me because I was turning him and the State of California in to the Oregon Attorney General for Extortion. He hung up without give me anymore details or grief. I never heard from the State of Scam again.

The problem is not communicating all of this to developers. The real issue is communicating this to the business owners and non-technical project managers that fund and manage the development of these apps. App developers have enough of a challenge explaining the "you can't do that" technical restrictions. The challenge of the "you shouldn't do that" is 100 times harder. Until its a business requirement, it will never be an applicable technical requirement.

I'm still trying to figure out how California plans on enforcing this.

No one would be in violation of Interstate Commerce Laws.

They have no jurisdiction over anyone outside of their State borders and therefore cannot bring charges against any non-resident dev that has not broken any Federal Laws.

The ONLY people that are required to comply with California State Law are the Residents of California and any visitors inside the State borders.

And even then - visitors subject to California Laws are limited. Such as if I drive my car (registered in another starte) to visit friends or family that live in Calif and my car does not comply with their emissions standards - nothing they can do about it.

I am looking forward to California attempting to file criminal charges against non-residents. This is going to be fun.

Hate to disappoint the State of California - but no one is forcing any Calif. resident to download or purchase any Apps.

It seems obvious, but consider the CARB requirements imposed on automobiles. They're a legal oddity in that Callifornia is the only state that can establish their own air quality standards. But even though they can't regulate anything outside of California, they have the same effect, since nobody wants to design multiple versions of vehicle emission systems if they can avoid it.